Hi Folks, I''ve got shorewall 2.0.8 with mdk10.1. I have this strange things happening. Sometimes shorewall blocks tcp 25, 110. When I restart shorewall, it opens again. Any idea what I''m missing? This is my configuration: /etc/shorewall/policy #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT net all DROP info loc fw ACCEPT # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info #LAST LINE -- DO NOT REMOVE /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP AllowPing loc fw AllowPing fw net AllowPing fw loc REDIRECT loc 3128 tcp www - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,113,143,783,5190,10000,4662,2082,2095,81,119 - ACCEPT net fw udp 53,5722,2082,2095 - ACCEPT fw net tcp 80,443,53,22,20,21,25,109,110,113,143,783,5190,10000,4662,2082,2095,81,119 - ACCEPT fw net udp 53,5722,2082,2095 - ACCEPT fw loc tcp 80,443,53,22,20,21,25,109,110,113,143,783,5190,10000,4662,2082,2095,81,119 - ACCEPT fw loc udp 53,5722,2082,2095 - ACCEPT fw loc udp 137,138,139 - ACCEPT fw loc tcp 137,139,445 - ACCEPT fw loc udp 1024: 137 ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,113,143,783,5190,10000,4662,2082,2095,81,119,137,139,445 - ACCEPT loc fw udp 53,5722,2082,2095,137,138,139 - ACCEPT loc fw udp 1024: 137 ACCEPT loc net tcp 80,443,53,22,20,21,25,109,110,113,143,783,5190,10000,4662,2082,2095,81,119 - ACCEPT loc net udp 53,5722,2082,2095 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Thanks. -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux2.arinet.org 09:32:17 up 18 min, Mandrakelinux release 10.1 (Community) for i586 public key: https://www.arinet.org/fajar-pub.key
On Friday 05 November 2004 09:37 am, Fajar Priyanto wrote: Ugh, I forgot... This is the messages when it happens: Nov 5 09:21:57 mdk101 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=192.168.0.234 DST=69.93.40.68 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=26919 DF PROTO=TCP SPT=32791 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0 -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux2.arinet.org 09:45:43 up 32 min, Mandrakelinux release 10.1 (Community) for i586 public key: https://www.arinet.org/fajar-pub.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fajar Priyanto wrote: | On Friday 05 November 2004 09:37 am, Fajar Priyanto wrote: | Ugh, I forgot... | This is the messages when it happens: | Nov 5 09:21:57 mdk101 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 | SRC=192.168.0.234 DST=69.93.40.68 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=26919 | DF PROTO=TCP SPT=32791 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0 | | Folks Look at the above message while reading FAQ 17: The IN= and OUT= are both ''eth0'' -- this means that Fajar''s firewall thinks that traffic coming from 69.93.40.68 enters the firewall on eth0 and traffic going to 192.168.0.234 goes out of ''eth0''. But this is only happening some of the time... How could this possibly happen??? ~ 69.93.40.68 is a public IP address ~ 192.168.0.234 is a ''private'' IP address ~ They both appear to be on the same interface!!!??? My guess is that Fajar has ignored all of the instructions on the Shorewall site that told him NOT TO CONNECT MORE THAN ONE FIREWALL INTERFACE TO THE SAME HUB/SWITCH and has done so anyway and is playing ''ARP roulette'' To all of the list -- your assignment for tomorrow is to understand why this sometimes works and sometimes doesn''t. HINT: The fact that it reportedly works after Fajar restarts Shorewall is a red herring... I''m serious -- we need more people on this list who can answer this question because it is so fundimental to the way that ethernet works and to how the Linux networking code works. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBivJlO/MAbZfjDLIRAp0qAJ9+s9vSwDau1vuqUt4uDnu4DeHUsQCfT23q Uk5Q0aXeHxdyuiRphxHJr5E=J1be -----END PGP SIGNATURE-----
On Friday 05 November 2004 10:24 am, Tom Eastep wrote:> Fajar Priyanto wrote: > | On Friday 05 November 2004 09:37 am, Fajar Priyanto wrote: > | Ugh, I forgot... > | This is the messages when it happens: > | Nov 5 09:21:57 mdk101 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 > | SRC=192.168.0.234 DST=69.93.40.68 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > > ID=26919 > > | DF PROTO=TCP SPT=32791 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0 > > Folks > > Look at the above message while reading FAQ 17: > > The IN= and OUT= are both ''eth0'' -- this means that Fajar''s firewall > thinks that traffic coming from 69.93.40.68 enters the firewall on eth0 > and traffic going to 192.168.0.234 goes out of ''eth0''. > > But this is only happening some of the time... > > How could this possibly happen??? > > ~ 69.93.40.68 is a public IP address > ~ 192.168.0.234 is a ''private'' IP address > ~ They both appear to be on the same interface!!!??? > > My guess is that Fajar has ignored all of the instructions on the > Shorewall site that told him NOT TO CONNECT MORE THAN ONE FIREWALL > INTERFACE TO THE SAME HUB/SWITCH and has done so anyway and is playing > ''ARP roulette'' > > To all of the list -- your assignment for tomorrow is to understand why > this sometimes works and sometimes doesn''t. HINT: The fact that it > reportedly works after Fajar restarts Shorewall is a red herring... > > I''m serious -- we need more people on this list who can answer this > question because it is so fundimental to the way that ethernet works and > to how the Linux networking code works. > > -TomOmg... What a mistake I''ve done. Thanks Tom, I''ll work it out. -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux2.arinet.org 10:28:02 up 1:14, Mandrakelinux release 10.1 (Community) for i586 public key: https://www.arinet.org/fajar-pub.key
To all of the list -- your assignment for tomorrow is to understand why this sometimes works and sometimes doesn''t. HINT: The fact that it reportedly works after Fajar restarts Shorewall is a red herring... I''m serious -- we need more people on this list who can answer this question because it is so fundimental to the way that ethernet works and to how the Linux networking code works. - -Tom - -- OK I''ll bite :) Something to do with broadcasts and address resolution protocol ARP Plug to interfaces into the same switch then when then network asks "who is 192.168.0.234" linux answers on both devices "I am 192.168.0.234" Well that''s my "simplified" understanding :) P.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul wrote: | OK I''ll bite :) | Something to do with broadcasts and address resolution protocol ARP | Plug to interfaces into the same switch then when then network asks "who is | 192.168.0.234" linux answers on both devices "I am 192.168.0.234" Yes -- the requests are "who-has" ARP requests that are explained at http://shorewall.net/shorewall_setup_guide.htm#id2499947. Whether "it works" or not is dependent on which interface reported the "who-has" to the firewall''s kernel first. That is because unless /proc/sys/net/ipv4/config/<interface>/arp_filter = 1, when <interface> receives a "who-has" request, the kernel responds with the MAC of that interface. When /proc/sys/net/ipv4/config/<interface>/arp_filter = 1, the kernel will only respond if the IPv4 address being resolved is configured on <interface>. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBivYIO/MAbZfjDLIRAkIoAJ4h3iA0UKlpc+gOKRDDFHiWlxsnoACfaupO OHMv1U81tLLUvBSlM0DK8jQ=4j70 -----END PGP SIGNATURE-----